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REQUEST FOR REVIEW 



Dear Sir: 



In response to the Final Office Action mailed August 6, 2008, and further pursuant to the 
Notice of Appeal and Pre-Appeal Brief Request for Review suteutted herewith. Applicants 

respectfully request review and reconsideration of the Final Office Action in view of the 
foUovmig issues. 

Claims 1-2, 4-16 and 18-25 are AUowable 

The Office has rejected claims 1-2, 4-16 and 18-25, under 35 U.S.C. § 103(a), as being 
unpatentable over U.S. Patent No. 6,647,400 ("Moran"), in view of U.S. Application No. 

2002/0129264 ("Rowland"). 

The cited portions of Moran and Rowland, individually or in combination, do not disclose 
or suggest the specific combination of claim 1 . For example, the cited portions of Moran and 
Rowland fail to disclose or suggest that upon identifying a mismatch in compared digital 
signatures, issuing an instruction to record an entry in a log file located in a second remote 
database where the entry identifies a possible intrusion in a host, and issuing a command to an 
operating svstem of the host to bring the host to a single user state, as. in claim 1. 



Attorney Docket No.: 1033-T00534C 



The Office admits that Moran fails to teach this feature. Office Action at page 3. The 
OfiQce then takes the position that Rowland teaches this feature at paragraphs 0037, 0053, 0065, 
0145 and 0148. Rowland, at paragraph 0037, notes that a log handler 203 logs system events 
locally or remotely. Paragraph 0053 of Rowland discloses the logging handler can accept a 
variety of formats and notification can be sent in a number of ways but fails to disclose or suggest 
bringing a host to a single user state . 

Paragraph 0065 describes fiinctionality of an action handler 204 and describes that the 
action handler 204 can block hosts, users, networks, running commands, logging events, disabling 
interfaces, disabling a computer, sending email, paging personnel and providing on-screen alerts. 
However, paragraph 0065 fails to describe or suggest issuing a command to an operating system 
of a host to bring the host to a single user state . 

Paragraph 0145 also fails to describe or suggest issuing a command to an operating system 
of a host to bring the host to a single user state . Paragraph 0145 of Rowland discusses that an 
intrusion control agent 1302 performs certain fiinctions at a host computer system including 
disabling of the network interfaces, shutdown of active user accounts, locating and logging 
suspicious activities, notifying a central controller of its actions, requesting collection of forensic 
evidence, movmg between other affected client systems and attempting to contain the intrusion 
situation. Paragraph 0145 of Rowland mentions shutting down active user account. However, 
shutting down active user accounts is distinct firom bringing the host to a single user state . In fact, 
Rowland appears to be suggesting bringing the host to a zero user state by shutting down the 
active user accounts. Thus, none of these recited functions disclose or suggest issuing a command 
to an operating svstem of the host to bring the host to a single user state, as in claim 1. 

* 

Paragraph 0148 similarly fails to disclose or suggest issuing a command to an operating 
svstem of the host to bring the host to a single user state, as in claim 1. Rather, paragraph 0148 of 
Roland describes a known intrusion agent 1305 which is designed to specifically look for an 
alarm on signs of known intrusion. However, nothing in paragraph 0148 discloses or suggests 
bringing the host to a single user state . 

Therefore, the cited portions of Moran and Rowland, individually or in combination, fail 
to disclose or suggest the specific combination of claim 1 . Hence, claim 1 is allowable. Claims 2 
and 4-9 are allowable, at least by virtue of their dependence firom an allowable claim. Further, 



Page 2 of 5 



U.S. App.No,: 10/605,689 



Attorney Docket No.: 1033-T00534C 



claims 2 and 4-9 recite additional features not disclosed or suggested by the cited portions of 
Moran and Rowland 

For example, the cited portions of Moran and Rowland, individually or in combination, do 
not disclose or suggest that a first remote database and a second remote database are located on a 
single server or a plurality of servers belonging to a local area network, as in claim 4. The Office 
takes the position that this feature is disclosed by Rowland at paragraph 0037, 0053 and 0147. 
Paragraphs 0037 and 0053 of Rowland were discussed above and fail to disclose or suggest that a 
first remote database and a second remote database are located on a single server or a plurality of 
servers belonging to a local area network. Rather, the cited paragraphs indicate that the logging 
may be done on a remote server but does not disclose or suggest that the first remote database and 
the second remote database are located on a single server or on a plurality of servers belonging to 
a local area network. Paragraph 0147 of Rowland discusses a host scanning agent 1304 designed 
to perform a host vulnerabiHty assessment and vulnerabUity detection from within the host but 
fails to disclose or suggest the fibrst remote database and the second remote database are located on 
a single server or a plurality of servers belonging to a local area network. 

The cited portions of Moran and Rowland, individually or in combination, do not disclose 
or suggest the specific combination of claims 10, 15 and 18, For example, the cited portions of 
Moran and Rowland fail to disclose or suggest a command being issued to an operating system of 
a host to bring the host to a single user state, as in claim 10, computer readable program code 
comprising executable instructions to issue a command to an operating system of a host to bring 
the host to a single user state , as in claim 1 5 and issuing a command to an operating system of a 
host to bring the host to a single user state, as in claim 1 8. 

The Office admits that Moran fails to teach this feature. Office Action at page 3, The 
Office then takes the position that Rowland teaches this feature at paragraphs 0037, 0053, 0065, 
0145 and 0148. Rowland, at paragraph 0037, simply notes that a log handler 203 logs system 
events locally or remotely. Paragraph 0053 of Rowland discloses the logging handler can accept 
a variety of formats and notification can be sent in a number of ways. Both paragraphs fail to 
disclose or suggest bringing a host to a single user state . 
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Paragraph 0065 describes functionality of an action handler 204 and describes that the 
action handler 204 can issue various commands. However, paragraph 0065 fails to describe or 
suggest issuing a command to an operating system of a host to bring the host to a single user state . 

Paragraph 0145 also fails to describe or suggest issuing a coramand to an operating system 
of a host to bring the host to a single user state . Paragraph 0145 of Rowland discusses that an 
intrusion control agent 1302 performs certain functions at a host computer system including 
shutting down of active user accounts. However, shutting down active user accounts is distinct 
from bringing the host to a single user state . In fact, Rowland appears to be suggesting bringing 
tiie host to a zero user state by shutting down the active user accounts. Thus, none of these recited 
functions disclose or suggest a command being issued to an operating system of a host to bring 
the host to a single user state, as in claim 1 0, computer readable program code comprising 
executable instructions to issue a command to an operating system of a host to bring the host to a 
single user state , as in claim 15 and issuing a command to an operating system of a host to bring 
the host to a single user state, as in claim 1 8. 

Paragraph 0148 of Roland describes a known intrusion agent 1305 which is designed to 
specifically look for an alarm on signs of known intrusion. However, nothing m paragraph 0148 
discloses or suggests bringing the host to a single user state . . 

Therefore, the cited portions of Moran and Rowland, individually or in combination, fail 
to disclose or suggest the specific combination of claims 10, 15 and 18. Hence, claims 10, 15 and 
18 are allowable. 

Claims 1 1-14 are allowable, at least by virtue of their dependence from allowable claim 
10. Claim 16 is allowable, at least by virtue of its dependence from allowable claim 15. Claims 
19-25 are allowable, at least by virtue of their dependence from allowable claim 18. 
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CONCLUSION 



Applicants have pointed out specific features of the claims not disclosed, suggested, or 
rendered obvious by the cited portions of the references applied in the Final Office Action. 
Accordingly, AppHcants respectfully request reconsideration and withdrawal of each of the 
objections and rejections, as well as an indication of the allowability of each of the pending 
claims. The Examiner is invited to contact the undersigned attomey at the telephone number 
listed below if such a call would in any way facilitate allowance of this application. 

The Commissioner is hereby authorized to charge any fees, which may be required, to 
credit any overpayment, to Deposit Account Number 50-2469. 



Respectfully submitted. 



Date 





Attomey for Applicants 



Toler Law Group, Intellectual Properties 
8500 Bluffstone Cove, Suite A201 
Austin, Texas 78759 
(512) 327-55 15 (phone) 
(512) 327^5575 (fax) 
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